CVE-2011-1093
Public on
Last Modified:
Insights vulnerability analysis
Description
The CVE Program describes this issue as:
The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet.
Statement
This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as it did not include support for the DCCP protocol. Future updates in Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG may address this flaw.
Mitigation
For users that do not run applications that use DCCP, you can prevent the dccp
module from being loaded by adding the following entry to the end of the
/etc/modprobe.d/blacklist file:
blacklist dccp
This way, the dccp module cannot be loaded accidentally, which may occur if an
application that requires DCCP is started. A reboot is not necessary for this
change to take effect but do make sure the module is not loaded in the first
place. You can verify that by running:
lsmod | grep dccp
You may also consider removing the CAP_SYS_MODULE capability from the current
global capability set to prevent kernel modules from being loaded or unloaded.
The CAP_SYS_MODULE has a capability number of 16 (see linux/capability.h). The
default value has all the bits set. To remove this capability, you have to
clear the 16th bit of the default 32-bit value, e.g. 0xffffff ^ (1 << 16):
echo 0xFFFEFFFF > /proc/sys/kernel/cap-bound
Additional information
- Bugzilla 682954: kernel: dccp: fix oops on Reset after close
- CWE-672->CWE-476: Operation on a Resource after Expiration or Release leads to NULL Pointer Dereference
- FAQ: Frequently asked questions about CVE-2011-1093
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
Red Hat | NVD | |
---|---|---|
CVSS v2 Base Score | 7.8 | 7.8 |
Attack Vector | Network | Network |
Access Complexity | Low | Low |
Authentication | None | None |
Confidentiality Impact | None | None |
Integrity Impact | None | None |
Availability Impact | Complete | Complete |
CVSS v2 Vector
Red Hat: AV:N/AC:L/Au:N/C:N/I:N/A:C
NVD: AV:N/AC:L/Au:N/C:N/I:N/A:C
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.